typeclaw 0.1.0 → 0.1.2

package/src/config/config.ts

@@ -104,6 +104,23 @@ export const gitignoreSchema = z
 
 export type GitignoreConfig = z.infer<typeof gitignoreSchema>
 
+// `blockInternal` is the kill-switch for the container-stage egress filter
+// installed by Dockerfile entrypoint shim: when true, the container is granted
+// CAP_NET_ADMIN at boot just long enough to install iptables OUTPUT rules
+// that DROP traffic to RFC1918, link-local (incl. cloud metadata), CGNAT,
+// multicast/reserved, IPv6 ULA/link-local/multicast. The capability is then
+// dropped from the bounding set via setpriv before the agent process exec's,
+// so no child (python, curl, bun-spawned anything) can mutate or recover it.
+// Default is `false` so existing agent folders are unaffected by an upgrade;
+// `typeclaw init` writes `true` for new agents (handled separately in init).
+export const networkSchema = z
+  .object({
+    blockInternal: z.boolean().default(false),
+  })
+  .default({ blockInternal: false })
+
+export type NetworkConfig = z.infer<typeof networkSchema>
+
 export const configSchema = z
   .object({
     $schema: z.string().optional(),
@@ -123,6 +140,7 @@ export const configSchema = z
     alias: z.array(z.string().trim().min(1)).default([]),
     channels: channelsSchema,
     portForward: portForwardSchema,
+    network: networkSchema,
     dockerfile: dockerfileSchema,
     gitignore: gitignoreSchema,
   })
@@ -213,6 +231,7 @@ export const FIELD_EFFECTS: Record<string, FieldEffect> = {
   alias: 'applied',
   channels: 'applied',
   portForward: 'restart-required',
+  network: 'restart-required',
   dockerfile: 'restart-required',
   gitignore: 'restart-required',
 }
@@ -276,6 +295,7 @@ export function extractPluginConfigs(raw: unknown): Record<string, unknown> {
     'plugins',
     'channels',
     'portForward',
+    'network',
     'dockerfile',
     'gitignore',
   ])

package/src/container/log-colors.ts

@@ -0,0 +1,75 @@
+// Per-source line tinting for `typeclaw logs` and `typeclaw compose logs`.
+// PR #146's wall-clock timestamp prefix made every line start identically,
+// dropping readability when many sources interleave. We restore visual
+// grouping by tinting each line based on its first `[tag]` (`[plugin:memory]`,
+// `[memory-logger]`, etc.). Same trick `compose/logs.ts#colorFor` uses for
+// agent names — stable hash → palette index → ANSI escape that wraps the
+// whole line body.
+//
+// Lines without a `[tag]` get no tint (only the leading timestamp is dimmed),
+// so untagged docker output, raw stack traces, and channel adapter logs
+// stay readable without inheriting a misleading color.
+
+import type { WritableStream as NodeWritable } from 'node:stream/web'
+
+const ANSI_RESET = '\x1b[0m'
+const ANSI_DIM = '\x1b[2m'
+const ANSI_CYAN = '\x1b[36m'
+const ANSI_YELLOW = '\x1b[33m'
+const ANSI_GREEN = '\x1b[32m'
+const ANSI_MAGENTA = '\x1b[35m'
+const ANSI_BLUE = '\x1b[34m'
+const ANSI_BRIGHT_CYAN = '\x1b[96m'
+const ANSI_BRIGHT_YELLOW = '\x1b[93m'
+const ANSI_BRIGHT_GREEN = '\x1b[92m'
+const ANSI_BRIGHT_MAGENTA = '\x1b[95m'
+const ANSI_BRIGHT_BLUE = '\x1b[94m'
+
+const TAG_PALETTE = [
+  ANSI_CYAN,
+  ANSI_YELLOW,
+  ANSI_GREEN,
+  ANSI_MAGENTA,
+  ANSI_BLUE,
+  ANSI_BRIGHT_CYAN,
+  ANSI_BRIGHT_YELLOW,
+  ANSI_BRIGHT_GREEN,
+  ANSI_BRIGHT_MAGENTA,
+  ANSI_BRIGHT_BLUE,
+] as const
+
+// Anchored to line start with a trailing space so a date that happens to
+// appear mid-line doesn't get dimmed.
+const TIMESTAMP_RE = /^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})(?= )/
+
+const TAG_RE = /\[([^\]\n]+)\]/
+
+// `useColor=false` returns the input verbatim; the contract that protects
+// pipes, file redirects, NO_COLOR, and tests from ANSI leakage.
+export function colorize(line: string, useColor: boolean): string {
+  if (!useColor || line.length === 0) return line
+
+  const ts = TIMESTAMP_RE.exec(line)
+  const timestampLen = ts ? ts[0].length : 0
+  const dimmedTimestamp = ts ? `${ANSI_DIM}${ts[0]}${ANSI_RESET}` : ''
+  const rest = line.slice(timestampLen)
+
+  const tag = TAG_RE.exec(rest)
+  if (!tag) return `${dimmedTimestamp}${rest}`
+
+  const tint = paletteColor(tag[1] ?? '')
+  return `${dimmedTimestamp}${tint}${rest}${ANSI_RESET}`
+}
+
+function paletteColor(seed: string): string {
+  let h = 0
+  for (let i = 0; i < seed.length; i++) h = (h * 31 + seed.charCodeAt(i)) >>> 0
+  return TAG_PALETTE[h % TAG_PALETTE.length] ?? TAG_PALETTE[0]
+}
+
+export function supportsColor(stream: NodeJS.WritableStream | NodeWritable): boolean {
+  const tty = (stream as unknown as { isTTY?: boolean }).isTTY === true
+  if (!tty) return false
+  if (process.env.NO_COLOR !== undefined && process.env.NO_COLOR !== '') return false
+  return true
+}

package/src/container/log-timestamps.ts

@@ -0,0 +1,84 @@
+// Docker emits each `--timestamps` line as `<RFC3339Nano> <body>\n`, e.g.
+// `2026-05-13T14:23:01.123456789Z hello world\n`. RFC3339Nano is precise but
+// painful to read live; humans want a wall-clock prefix. This module parses
+// the leading token, reformats it to `YYYY-MM-DD HH:MM:SS` in the host's
+// local timezone, and passes everything after the first space through.
+//
+// Stateful chunker mirroring src/compose/logs.ts#makeLinePrefixer: only emits
+// newline-terminated lines and flushes the un-terminated tail on EOF, so
+// interleaved reads from `docker logs` can never shred a line mid-character.
+
+import { colorize } from './log-colors'
+
+// `2026-05-13T14:23:01.123456789Z` or `...+09:00` etc. We accept anything
+// from Docker that Date can parse, but anchor on the ISO date+time prefix to
+// avoid eating non-timestamped log content.
+const TIMESTAMP_RE = /^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})) (.*)$/
+
+export type TimestampReformatter = {
+  write: (chunk: string) => string
+  flush: () => string
+}
+
+export type ReformatterOptions = {
+  // Color is opt-in and applied per emitted line *after* timestamp rewriting.
+  // Defaults to `false` so tests stay deterministic and pipes/files stay
+  // ANSI-free unless callers explicitly opt in via supportsColor(out).
+  color?: boolean
+}
+
+export function makeLogTimestampReformatter(
+  now: () => Date = () => new Date(),
+  options: ReformatterOptions = {},
+): TimestampReformatter {
+  const useColor = options.color ?? false
+  let buffer = ''
+  return {
+    write(chunk: string): string {
+      buffer += chunk
+      const nl = buffer.lastIndexOf('\n')
+      if (nl < 0) return ''
+      const complete = buffer.slice(0, nl + 1)
+      buffer = buffer.slice(nl + 1)
+      return complete
+        .split('\n')
+        .slice(0, -1)
+        .map((line) => `${colorize(reformatLine(line, now), useColor)}\n`)
+        .join('')
+    },
+    flush(): string {
+      if (buffer.length === 0) return ''
+      const out = `${colorize(reformatLine(buffer, now), useColor)}\n`
+      buffer = ''
+      return out
+    },
+  }
+}
+
+// Exported for tests. Format: `YYYY-MM-DD HH:MM:SS <rest>`. Falls back to the
+// raw line if it doesn't look like a Docker `--timestamps` line, and falls
+// back to `now()` if Docker's timestamp doesn't parse (defensive — shouldn't
+// happen, but losing one timestamp shouldn't hide the log body).
+export function reformatLine(line: string, now: () => Date = () => new Date()): string {
+  const match = TIMESTAMP_RE.exec(line)
+  if (!match) return line
+  const [, raw, body] = match
+  if (raw === undefined || body === undefined) return line
+  const parsed = new Date(raw)
+  const stamp = formatLocal(Number.isNaN(parsed.getTime()) ? now() : parsed)
+  return `${stamp} ${body}`
+}
+
+function formatLocal(d: Date): string {
+  const year = d.getFullYear()
+  const month = pad2(d.getMonth() + 1)
+  const day = pad2(d.getDate())
+  const hour = pad2(d.getHours())
+  const minute = pad2(d.getMinutes())
+  const second = pad2(d.getSeconds())
+  return `${year}-${month}-${day} ${hour}:${minute}:${second}`
+}
+
+function pad2(n: number): string {
+  return n < 10 ? `0${n}` : String(n)
+}

package/src/container/logs.ts

@@ -1,3 +1,5 @@
+import { supportsColor } from './log-colors'
+import { makeLogTimestampReformatter, type TimestampReformatter } from './log-timestamps'
 import { containerExists, containerNameFromCwd, getBun } from './shared'
 
 export type LogsPlan = {
@@ -7,7 +9,25 @@ export type LogsPlan = {
 
 export type LogsResult = { ok: true; containerName: string; exitCode: number } | { ok: false; reason: string }
 
-export async function logs({ cwd, follow }: { cwd: string; follow: boolean }): Promise<LogsResult> {
+export type LogsOptions = {
+  cwd: string
+  follow: boolean
+  out?: NodeJS.WritableStream
+  err?: NodeJS.WritableStream
+  signal?: AbortSignal
+  // When undefined, defaults to TTY+NO_COLOR detection on `out`/`err`.
+  // Tests pass `false` for deterministic plain output.
+  useColor?: boolean
+}
+
+export async function logs({
+  cwd,
+  follow,
+  out = process.stdout,
+  err = process.stderr,
+  signal,
+  useColor,
+}: LogsOptions): Promise<LogsResult> {
   const bun = getBun()
   if (!bun) return { ok: false, reason: 'bun runtime not available' }
 
@@ -18,14 +38,30 @@ export async function logs({ cwd, follow }: { cwd: string; follow: boolean }): P
       return { ok: false, reason: `Container ${containerName} not found. Run \`typeclaw start\` first.` }
     }
 
-    const cmd = ['docker', 'logs']
+    const cmd = ['docker', 'logs', '--timestamps']
     if (follow) cmd.push('-f')
     cmd.push(containerName)
 
-    // Inherit stdio so logs stream live and Ctrl+C reaches `docker logs`,
-    // which exits cleanly on SIGINT in follow mode.
-    const proc = bun.spawn({ cmd, cwd, stdout: 'inherit', stderr: 'inherit' })
+    const proc = bun.spawn({ cmd, cwd, stdout: 'pipe', stderr: 'pipe' })
+
+    const onAbort = (): void => {
+      try {
+        proc.kill('SIGTERM')
+      } catch {
+        // already exited
+      }
+    }
+    signal?.addEventListener('abort', onAbort, { once: true })
+
+    const colorOut = useColor ?? supportsColor(out)
+    const colorErr = useColor ?? supportsColor(err)
+    await Promise.all([
+      pumpWithTimestamps(proc.stdout, out, makeLogTimestampReformatter(undefined, { color: colorOut })),
+      pumpWithTimestamps(proc.stderr, err, makeLogTimestampReformatter(undefined, { color: colorErr })),
+    ])
     const exitCode = await proc.exited
+    signal?.removeEventListener('abort', onAbort)
+
     return { ok: true, containerName, exitCode }
   } catch (error) {
     return { ok: false, reason: error instanceof Error ? error.message : String(error) }
@@ -35,3 +71,33 @@ export async function logs({ cwd, follow }: { cwd: string; follow: boolean }): P
 export function planLogs(cwd: string, { follow }: { follow: boolean }): LogsPlan {
   return { containerName: containerNameFromCwd(cwd), follow }
 }
+
+// Exported for `compose/logs.ts` so the multi-agent path reuses the same
+// reformatter and stays consistent with single-agent output.
+export async function pumpWithTimestamps(
+  stream: ReadableStream<Uint8Array>,
+  sink: NodeJS.WritableStream,
+  reformatter: TimestampReformatter = makeLogTimestampReformatter(),
+): Promise<void> {
+  const decoder = new TextDecoder()
+  const reader = stream.getReader()
+  try {
+    while (true) {
+      const { done, value } = await reader.read()
+      if (done) break
+      if (value && value.byteLength > 0) {
+        const out = reformatter.write(decoder.decode(value, { stream: true }))
+        if (out.length > 0) sink.write(out)
+      }
+    }
+    const tail = decoder.decode()
+    if (tail.length > 0) {
+      const out = reformatter.write(tail)
+      if (out.length > 0) sink.write(out)
+    }
+    const flushed = reformatter.flush()
+    if (flushed.length > 0) sink.write(flushed)
+  } finally {
+    reader.releaseLock()
+  }
+}

package/src/container/start.ts

@@ -7,6 +7,7 @@ import { configSchema, expandMountPath, type Config } from '@/config/config'
 import { send as sendToDaemon } from '@/hostd/client'
 import type { HttpInfoResult } from '@/hostd/protocol'
 import { ensureDaemon } from '@/hostd/spawn'
+import { resolveBaseImageVersion } from '@/init/cli-version'
 import { buildDockerfile, DOCKERFILE } from '@/init/dockerfile'
 import { ensureDepsInstalled, type EnsureDepsResult } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
@@ -142,7 +143,6 @@ export async function start({
     // one-shot and idempotent — once `workspaces` is set, refreshPackageJson
     // is a no-op, so users who never edit their agent folder pay zero cost on
     // subsequent starts and users who customized `workspaces` are not clobbered.
-    await refreshDockerfile(cwd)
     await refreshGitignore(cwd)
     const pkgRefresh = await refreshPackageJson(cwd)
     await commitSystemFile(cwd, GITIGNORE_FILE, 'Update .gitignore')
@@ -161,6 +161,11 @@ export async function start({
       return { ok: false, reason: `dependency install failed: ${deps.reason}` }
     }
     await commitSystemFile(cwd, DEPENDENCY_FILES, 'Update dependencies')
+    // Dockerfile refresh AFTER ensureDeps so the version pin in the FROM
+    // line resolves against the agent's installed node_modules/typeclaw —
+    // ensures the base image's CLI version matches the runtime the
+    // container will actually load.
+    await refreshDockerfile(cwd)
 
     if (state.exists) {
       // Container holds the name but is not running. Without `--rm`, this is
@@ -315,7 +320,8 @@ export async function planStart({
   const imageTag = imageTagFromCwd(cwd)
 
   const devSourcePath = await detectDevSource(cwd)
-  const mounts = await loadMounts(cwd)
+  const cfg = await loadTypeclawConfig(cwd)
+  const mounts = cfg.mounts
 
   // No `--rm`: a crashed container's logs MUST survive past exit so users can
   // debug the failure. `typeclaw stop` removes the container explicitly, and
@@ -324,6 +330,17 @@ export async function planStart({
   // a running container or one the user has not started again yet.
   const runArgs = ['run', '-d', '--name', containerName, '-p', `127.0.0.1:${hostPort}:${CONTAINER_PORT}`]
 
+  // Network egress filter: when `typeclaw.json#network.blockInternal` is true,
+  // grant the container CAP_NET_ADMIN at boot so the entrypoint shim can
+  // install iptables OUTPUT rules. The shim drops the capability from the
+  // bounding set via setpriv before exec'ing the agent — see the shim source
+  // in src/init/dockerfile.ts for the full handoff. The `-e` flag is what
+  // tells the shim to take the on-path; absent or set to anything other than
+  // "1", the shim is a no-op.
+  if (cfg.network.blockInternal) {
+    runArgs.push('--cap-add=NET_ADMIN', '-e', 'TYPECLAW_NETWORK_BLOCK_INTERNAL=1')
+  }
+
   if (hostdControl) {
     runArgs.push('--add-host', HOST_GATEWAY_ALIAS)
   }
@@ -386,7 +403,10 @@ export async function planStart({
 
 export async function refreshDockerfile(cwd: string): Promise<void> {
   const cfg = await loadTypeclawConfig(cwd)
-  await writeFile(join(cwd, DOCKERFILE), buildDockerfile(cfg.dockerfile))
+  await writeFile(
+    join(cwd, DOCKERFILE),
+    buildDockerfile(cfg.dockerfile, { baseImageVersion: resolveBaseImageVersion(cwd) }),
+  )
 }
 
 export async function refreshGitignore(cwd: string): Promise<void> {
@@ -576,11 +596,6 @@ async function detectDevSource(cwd: string): Promise<string | null> {
 // folder mid-init). Anything else — malformed JSON, schema-invalid config,
 // invalid mount entry — must surface so the user sees they configured a mount
 // that won't be applied.
-async function loadMounts(cwd: string): Promise<Config['mounts']> {
-  const cfg = await loadTypeclawConfig(cwd)
-  return cfg.mounts
-}
-
 async function loadTypeclawConfig(cwd: string): Promise<Config> {
   return configSchema.parse(await loadConfigJson(cwd))
 }

package/src/cron/consumer.ts

@@ -1,20 +1,25 @@
+import type { SessionOrigin } from '@/agent/session-origin'
 import type { HookBus } from '@/plugin'
 import type { Stream, Unsubscribe } from '@/stream'
 
 import type { CronJob, ExecJob, PromptJob } from './schema'
 
-// `hooks`, `sessionId`, and `getTranscriptPath` are optional so test fakes can
-// stay one-liners. When present, the consumer fires `session.idle` after every
-// prompt completion and `session.end` on dispose, mirroring the lifecycle
-// signals the TUI server already emits in `src/server/index.ts`. Without this
-// the bundled memory plugin's debounced `memory-logger` never spawns for cron
-// prompt jobs because it only wakes on `session.idle`.
+// `hooks`, `sessionId`, `agentDir`, and `getTranscriptPath` are optional so
+// test fakes can stay one-liners. When present, the consumer fires
+// `session.turn.start`/`session.turn.end` around `prompt()`, then
+// `session.idle` after, then `session.end` on dispose — mirroring the
+// lifecycle signals the TUI server emits in `src/server/index.ts`. Without
+// this the bundled memory plugin's debounced `memory-logger` never spawns for
+// cron prompt jobs (it only wakes on `session.idle`), and the bundled backup
+// plugin's turn counter would miss cron-driven activity.
 export type CronSession = {
   prompt: (text: string) => Promise<void>
   dispose?: () => void
   hooks?: HookBus
   sessionId?: string
+  agentDir?: string
   getTranscriptPath?: () => string | undefined
+  origin?: SessionOrigin
 }
 
 export type CronConsumerLogger = {
@@ -102,8 +107,25 @@ async function runPrompt(
     return
   }
   const session = await createSessionForCron(job)
+  const turnEvent =
+    session.hooks && session.sessionId !== undefined && session.agentDir !== undefined
+      ? {
+          sessionId: session.sessionId,
+          agentDir: session.agentDir,
+          ...(session.origin !== undefined ? { origin: session.origin } : {}),
+        }
+      : undefined
   try {
-    await session.prompt(job.prompt)
+    if (session.hooks && turnEvent !== undefined) {
+      await session.hooks.runSessionTurnStart(turnEvent)
+    }
+    try {
+      await session.prompt(job.prompt)
+    } finally {
+      if (session.hooks && turnEvent !== undefined) {
+        await session.hooks.runSessionTurnEnd(turnEvent)
+      }
+    }
     if (session.hooks && session.sessionId !== undefined) {
       await session.hooks.runSessionIdle({
         sessionId: session.sessionId,